search

pmckeown / dependency-track-maven-plugin

Maven plugin that integrates with a Dependency Track server to submit dependency manifests and optionally fail execution when vulnerable dependencies are found.
Apache License 2.0
61 stars 19 forks source link

Respect Maven's proxy settings #398

Open chovyy opened 1 year ago

chovyy commented 1 year ago

From my workstation, our DT server is only reachable through a proxy.

For uploading BOMs, I have to set Java environment variables when calling this plugin:

mvn io.github.pmckeown:dependency-track-maven-plugin:upload-bom -Dhttp.proxyHost=[...] -Dhttp.proxyPort=[...]

That works fine, but it would be nice, if the plugin would take the proxy settings from Maven. In my settings.xml, I have something like:

  <proxies>
    <proxy>
      <id>[...]</id>
      <active>true</active>
      <protocol>http</protocol>
      <host>[...]</host>
      <port>[...]</port>
    </proxy>
  </proxies>

but this seems to be currently ignored by this plugin.

pmckeown commented 11 months ago

Hi @chovyy, have you tried setting the MVN_OPTS environment variable for build system to the proxy variables?

That looks like another viable approach - see this issue for examples: https://community.sonarsource.com/t/maven-plugin-not-using-proxy/43101.

I don't have a corporate proxy that I can test a fix behind unfortunately.

If the MVN_OPTS route doesn't work, then perhaps try updating the method AbstractDependencyTrackMojo.configureUnirest() to set the proxy globally for all HTTP calls from within the proxy and submitting a PR?

chovyy commented 11 months ago

As pointed out, the problem is not that I cannot set the proxy at all, but every plugin should respect the maven settings for such things. I will try to prepare a PR... Thanks for the hint.

mikehall-mozz commented 2 months ago

Screenshot from 2024-06-17 14-07-26 - redacted Not sure if you can confirm/deny I have a related issue, I'm trying to upload a BOM via a proxy, and have to use the -DproxyHost and -DproxyPort flags to do so. I get the error shown in the screenshot.

Command: mvn -X io.github.pmckeown:dependency-track-maven-plugin:upload-bom -Ddependency-track.dependencyTrackBaseUrl=https://<url> -Ddependency-track.apiKey=<key> -Dhttps.proxyHost=<host> -Dhttps.proxyPort=8080

Stack trace: io.github.pmckeown.dependencytrack.DependencyTrackException: java.net.SocketException: Broken pipe (Write failed) at io.github.pmckeown.dependencytrack.upload.UploadBomAction.doUpload (UploadBomAction.java:92) at io.github.pmckeown.dependencytrack.upload.UploadBomAction.upload (UploadBomAction.java:48) at io.github.pmckeown.dependencytrack.upload.UploadBomMojo.performAction (UploadBomMojo.java:76) at io.github.pmckeown.dependencytrack.AbstractDependencyTrackMojo.execute (AbstractDependencyTrackMojo.java:91) at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:137) at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:210) at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:156) at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:148) at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117) at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81) at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56) at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128) at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305) at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192) at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105) at org.apache.maven.cli.MavenCli.execute (MavenCli.java:957) at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:289) at org.apache.maven.cli.MavenCli.main (MavenCli.java:193) at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0 (Native Method) at jdk.internal.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62) at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke (Method.java:566) at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282) at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225) at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:406) at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:347) Caused by: kong.unirest.UnirestException: java.net.SocketException: Broken pipe (Write failed) at kong.unirest.DefaultInterceptor.onFail (DefaultInterceptor.java:43) at kong.unirest.CompoundInterceptor.lambda$onFail$2 (CompoundInterceptor.java:54) at java.util.stream.ReferencePipeline$3$1.accept (ReferencePipeline.java:195) at java.util.Collections$2.tryAdvance (Collections.java:4747) at java.util.stream.ReferencePipeline.forEachWithCancel (ReferencePipeline.java:127) at java.util.stream.AbstractPipeline.copyIntoWithCancel (AbstractPipeline.java:502) at java.util.stream.AbstractPipeline.copyInto (AbstractPipeline.java:488) at java.util.stream.AbstractPipeline.wrapAndCopyInto (AbstractPipeline.java:474) at java.util.stream.FindOps$FindOp.evaluateSequential (FindOps.java:150) at java.util.stream.AbstractPipeline.evaluate (AbstractPipeline.java:234) at java.util.stream.ReferencePipeline.findFirst (ReferencePipeline.java:543) at kong.unirest.CompoundInterceptor.onFail (CompoundInterceptor.java:56) at kong.unirest.apache.ApacheClient.request (ApacheClient.java:138) at kong.unirest.Client.request (Client.java:57) at kong.unirest.BaseRequest.request (BaseRequest.java:365) at kong.unirest.BaseRequest.asObject (BaseRequest.java:271) at io.github.pmckeown.dependencytrack.upload.BomClient.uploadBom (BomClient.java:47) at io.github.pmckeown.dependencytrack.upload.UploadBomAction.doUpload (UploadBomAction.java:79) at io.github.pmckeown.dependencytrack.upload.UploadBomAction.upload (UploadBomAction.java:48) at io.github.pmckeown.dependencytrack.upload.UploadBomMojo.performAction (UploadBomMojo.java:76) at io.github.pmckeown.dependencytrack.AbstractDependencyTrackMojo.execute (AbstractDependencyTrackMojo.java:91) at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:137) at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:210) at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:156) at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:148) at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117) at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81) at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56) at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128) at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305) at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192) at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105) at org.apache.maven.cli.MavenCli.execute (MavenCli.java:957) at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:289) at org.apache.maven.cli.MavenCli.main (MavenCli.java:193) at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0 (Native Method) at jdk.internal.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62) at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke (Method.java:566) at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282) at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225) at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:406) at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:347) Caused by: java.net.SocketException: Broken pipe (Write failed) at java.net.SocketOutputStream.socketWrite0 (Native Method) at java.net.SocketOutputStream.socketWrite (SocketOutputStream.java:110) at java.net.SocketOutputStream.write (SocketOutputStream.java:150) at sun.security.ssl.SSLSocketOutputRecord.deliver (SSLSocketOutputRecord.java:340) at sun.security.ssl.SSLSocketImpl$AppOutputStream.write (SSLSocketImpl.java:1299) at unirest.shaded.org.apache.http.impl.io.SessionOutputBufferImpl.streamWrite (SessionOutputBufferImpl.java:124) at unirest.shaded.org.apache.http.impl.io.SessionOutputBufferImpl.write (SessionOutputBufferImpl.java:160) at unirest.shaded.org.apache.http.impl.io.ContentLengthOutputStream.write (ContentLengthOutputStream.java:113) at unirest.shaded.org.apache.http.impl.io.ContentLengthOutputStream.write (ContentLengthOutputStream.java:120) at unirest.shaded.org.apache.http.entity.StringEntity.writeTo (StringEntity.java:167) at unirest.shaded.org.apache.http.impl.DefaultBHttpClientConnection.sendRequestEntity (DefaultBHttpClientConnection.java:156) at unirest.shaded.org.apache.http.impl.conn.CPoolProxy.sendRequestEntity (CPoolProxy.java:152) at unirest.shaded.org.apache.http.protocol.HttpRequestExecutor.doSendRequest (HttpRequestExecutor.java:238) at unirest.shaded.org.apache.http.protocol.HttpRequestExecutor.execute (HttpRequestExecutor.java:123) at unirest.shaded.org.apache.http.impl.execchain.MainClientExec.execute (MainClientExec.java:272) at unirest.shaded.org.apache.http.impl.execchain.ProtocolExec.execute (ProtocolExec.java:186) at unirest.shaded.org.apache.http.impl.execchain.RetryExec.execute (RetryExec.java:89) at unirest.shaded.org.apache.http.impl.execchain.RedirectExec.execute (RedirectExec.java:110) at unirest.shaded.org.apache.http.impl.client.InternalHttpClient.doExecute (InternalHttpClient.java:185) at unirest.shaded.org.apache.http.impl.client.CloseableHttpClient.execute (CloseableHttpClient.java:118) at unirest.shaded.org.apache.http.impl.client.CloseableHttpClient.execute (CloseableHttpClient.java:56) at kong.unirest.apache.ApacheClient.request (ApacheClient.java:129) at kong.unirest.Client.request (Client.java:57) at kong.unirest.BaseRequest.request (BaseRequest.java:365) at kong.unirest.BaseRequest.asObject (BaseRequest.java:271) at io.github.pmckeown.dependencytrack.upload.BomClient.uploadBom (BomClient.java:47) at io.github.pmckeown.dependencytrack.upload.UploadBomAction.doUpload (UploadBomAction.java:79) at io.github.pmckeown.dependencytrack.upload.UploadBomAction.upload (UploadBomAction.java:48) at io.github.pmckeown.dependencytrack.upload.UploadBomMojo.performAction (UploadBomMojo.java:76) at io.github.pmckeown.dependencytrack.AbstractDependencyTrackMojo.execute (AbstractDependencyTrackMojo.java:91) at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:137) at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:210) at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:156) at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:148) at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117) at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81) at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56) at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128) at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305) at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192) at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105) at org.apache.maven.cli.MavenCli.execute (MavenCli.java:957) at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:289) at org.apache.maven.cli.MavenCli.main (MavenCli.java:193) at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0 (Native Method) at jdk.internal.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62) at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke (Method.java:566) at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282) at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225) at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:406) at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:347)

mikehall-mozz commented 2 months ago

@pmckeown also tried to set a the proxy up in the Unirest config in AbstractDependencyTrackMojo but then get a lot of test failures with Unirest throwing an exception, for example:

kong.unirest.UnirestConfigException: Http Clients are already built in order to build a new config execute Unirest.config().reset() before changing settings. 
This should be done rarely.

    at kong.unirest.Config.validateClientsNotRunning(Config.java:902)
    at kong.unirest.Config.proxy(Config.java:205)
    at io.github.pmckeown.dependencytrack.AbstractDependencyTrackMojo.configureUnirest(AbstractDependencyTrackMojo.java:180)
    at io.github.pmckeown.dependencytrack.AbstractDependencyTrackMojo.execute(AbstractDependencyTrackMojo.java:100)
    at io.github.pmckeown.dependencytrack.upload.UploadBomMojoTest.thatTheUploadBomIsSkippedWhenSkipIsReleases(UploadBomMojoTest.java:99)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
    at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.base/java.lang.reflect.Method.invoke(Method.java:568)
    at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:59)
    at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
    at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:56)
    at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)
    at org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:26)
    at org.mockito.internal.runners.DefaultInternalRunner$1$1.evaluate(DefaultInternalRunner.java:55)
    at org.junit.runners.ParentRunner$3.evaluate(ParentRunner.java:306)
    at org.junit.runners.BlockJUnit4ClassRunner$1.evaluate(BlockJUnit4ClassRunner.java:100)
    at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:366)
    at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:103)
    at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:63)
    at org.junit.runners.ParentRunner$4.run(ParentRunner.java:331)
    at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:79)
    at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:329)
    at org.junit.runners.ParentRunner.access$100(ParentRunner.java:66)
    at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:293)
    at org.junit.runners.ParentRunner$3.evaluate(ParentRunner.java:306)
    at org.junit.runners.ParentRunner.run(ParentRunner.java:413)
    at org.mockito.internal.runners.DefaultInternalRunner$1.run(DefaultInternalRunner.java:100)
    at org.mockito.internal.runners.DefaultInternalRunner.run(DefaultInternalRunner.java:107)
    at org.mockito.internal.runners.StrictRunner.run(StrictRunner.java:41)
    at org.mockito.junit.MockitoJUnitRunner.run(MockitoJUnitRunner.java:163)
    at org.junit.runners.Suite.runChild(Suite.java:128)
    at org.junit.runners.Suite.runChild(Suite.java:27)
    at org.junit.runners.ParentRunner$4.run(ParentRunner.java:331)
    at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:79)
    at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:329)
    at org.junit.runners.ParentRunner.access$100(ParentRunner.java:66)
    at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:293)
    at org.junit.runners.ParentRunner$3.evaluate(ParentRunner.java:306)
    at org.junit.runners.ParentRunner.run(ParentRunner.java:413)
    at org.junit.runner.JUnitCore.run(JUnitCore.java:137)
    at com.intellij.junit4.JUnit4IdeaTestRunner.startRunnerWithArgs(JUnit4IdeaTestRunner.java:69)
    at com.intellij.rt.junit.IdeaTestRunner$Repeater$1.execute(IdeaTestRunner.java:38)
    at com.intellij.rt.execution.junit.TestsRepeater.repeat(TestsRepeater.java:11)
    at com.intellij.rt.junit.IdeaTestRunner$Repeater.startRunnerWithArgs(IdeaTestRunner.java:35)
    at com.intellij.rt.junit.JUnitStarter.prepareStreamsAndStart(JUnitStarter.java:232)
    at com.intellij.rt.junit.JUnitStarter.main(JUnitStarter.java:55)
mikehall-mozz commented 2 months ago

the first part of my issue is now solved: https://github.com/pmckeown/dependency-track-maven-plugin/issues/398#issuecomment-2173576781

It was just that I didn't need the trailing /api on the base url